On Tue, Feb 11, 2020 at 3:46 PM r hayman <rhayman at pureice.com> wrote:
>
> While I'm not familiar with OpenWRT, but since it's linux, it probably has the built in capability to capture traffic out of the box.
>
>  I'd start by looking at the destination IP addresses, protocols (UDP/TCP), and the destination ports.
>
> /var/log/ufw.log (if OpenWRT uses ufw), /var/log/syslog, or wherever it logs traffic to
>
> MAC = which LAN device traffic originates from if not statically assigned via DHCP
> DST = destination IP
> SRC = your LAN IP device (makes things easy if you statically assign via DHCP)
> PROTO = protocol
> DPT = destination port the device is trying to connect to
>
> use nslookup on the $DST
> google search "port $DPT"
>
> If you have a specific manufacturer's brand device, search for which ports they use - Apple uses https://support.apple.com/en-us/HT202944
>
> I have all pre-defined DHCP static addresses, and rules in my firewall/router that (a), block all incoming connections, (b) block all outgoing connections - except for those I define either by source, destination, protocol, or destination port number. This is heavy-handed restrictions on the outgoing side that requires maintenance but nothing escapes my LAN without me specifying it explicitly.
>
>
I think this last is exactly what I'm trying to work toward.
Trying to figure out what is causing traffic 'x' when I'm not using
the hardware myself.

Thanks for the ideas!!!